如何解释 ntoskrnl.exe +70380 中的 KMODE_EXCEPTION_NOT_HANDLED?

tag-icon tag-icon windows-7 windows drivers bsod smartcard
如何解释 ntoskrnl.exe +70380 中的 KMODE_EXCEPTION_NOT_HANDLED?

我遇到了一个非常棘手的难题,Windows 7 上的蓝屏问题。几周前,一台计算机在计算智能卡时开始出现蓝屏。这是一台带智能卡的 POS 机,对于每张开具的收据,它都必须计算智能卡中的哈希值。

于是我开始寻找驱动程序/硬件错误,我更新了一些驱动程序(即使旧驱动程序多年来一直没有错误)......但没有成功。因此我更换了智能卡和智能卡读卡器,但仍然不起作用。我还尝试将所有 POS 系统切换到另一台计算机,但每进行 10-20 次哈希计算,蓝屏就会再次出现。

我尝试分析转储文件,似乎故障组件是 ntoskrnl.exe,而且这似乎不是驱动程序连接错误。

这是转储文件: https://drive.google.com/file/d/0B68Lon7XGG2tdzcxLXUwSXJibms/view?usp=sharing

这是转储详细信息:

KMODE_EXCEPTION_NOT_HANDLED 0x0000001e  ffffffff`c0000005   00000000`00000000   00000000`00000008   00000000`00000000   ntoskrnl.exe    ntoskrnl.exe+70380

以及转储分析数据:

Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.23392.amd64fre.win7sp1_ldr.160317-0600
Machine Name:
Kernel base = 0xfffff800`02e4f000 PsLoadedModuleList = 0xfffff800`03091730
Debug session time: Sat May  7 14:48:33.499 2016 (UTC - 4:00)
System Uptime: 0 days 0:24:58.841
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: 0000000000000008, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP: 
+0
00000000`00000000 ??              ???

EXCEPTION_PARAMETER1:  0000000000000008

EXCEPTION_PARAMETER2:  0000000000000000

WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff800030fb100
GetUlongFromAddress: unable to read from fffff800030fb1c8
 0000000000000000 Nonpaged pool

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

BUGCHECK_STR:  0x1e_c0000005

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  1

TRAP_FRAME:  fffff8800701b7f0 -- (.trap 0xfffff8800701b7f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa800737ee70 rbx=0000000000000000 rcx=fffffa8008f13a20
rdx=fffffa800737ee70 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000000 rsp=fffff8800701b980 rbp=0000000000000000
 r8=fffffa800398b010  r9=fffff8000303de80 r10=fffffa80036fb570
r11=fffffa8004a55c10 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
00000000`00000000 ??              ???
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80002f3f512 to fffff80002ebf380

STACK_TEXT:  
fffff880`0701af68 fffff800`02f3f512 : 00000000`0000001e ffffffff`c0000005 00000000`00000000 00000000`00000008 : nt!KeBugCheckEx
fffff880`0701af70 fffff800`02ebea02 : fffff880`0701b748 fffffa80`c0000120 fffff880`0701b7f0 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x40e2d
fffff880`0701b610 fffff800`02ebd57a : 00000000`00000008 00000000`00000000 00000000`00000200 fffffa80`c0000120 : nt!KiExceptionDispatch+0xc2
fffff880`0701b7f0 00000000`00000000 : 00000000`00000000 00000000`00000000 fffff880`0507cf00 fffffa80`08239bb8 : nt!KiPageFault+0x23a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt! ?? ::FNODOBFM::`string'+40e2d
fffff800`02f3f512 cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt! ?? ::FNODOBFM::`string'+40e2d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  56eb24e6

FAILURE_BUCKET_ID:  X64_0x1e_c0000005_nt!_??_::FNODOBFM::_string_+40e2d

BUCKET_ID:  X64_0x1e_c0000005_nt!_??_::FNODOBFM::_string_+40e2d

Followup: MachineOwner
---------

BSOD 总是发生在同一操作中:智能卡哈希计算,但它不是系统性的,因为它可以在崩溃之前进行许多计算,有时它可以连续工作几天而没有错误。

我尝试读取该机器在第一次崩溃前几天进行的最新 Windows 更新:KB2952664、KB3137061、KB3138901、KB3142042、KB3145739、KB3146706、KB3146963、KB3147071、KB3148198、KB3148851、KB3149090,但似乎没有任何内容与智能卡相关,我也尝试过卸载它们,但没有成功。

几天后,另一台 POS 计算机也开始出现同样的问题和错误。那是一个使用另一台计算机硬件的系统,但使用相同的智能卡、智能卡读卡器和热敏收据打印机。我强调这些系统运行良好,而且我能想到的唯一最近变化是 Windows 更新。

最后我解决了从 Windows 7 升级到 Windows 10 的问题,但这不是一个真正的解决方案!

你能告诉我如何读取转储详细信息吗?是否有我没有考虑到的信息?

答案1

看起来您的问题很可能出在 iusb3xhc.sys(USB 3 主机控制器的驱动程序)上。

调试器的内置分析工具命令!analyze -v得出了这一结论。要使用它,您必须安装“Windows 调试工具”包并配置符号文件路径。然后在 WinDbg 中打开转储文件并在命令提示符下输入 !analyze -v。

要手动执行此操作,请打开转储文件,然后使用 kv 命令:

0: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0701af68 fffff800`02f3f512 : 00000000`0000001e ffffffff`c0000005 00000000`00000000 00000000`00000008 : nt!KeBugCheckEx
fffff880`0701af70 fffff800`02ebea02 : fffff880`0701b748 fffffa80`c0000120 fffff880`0701b7f0 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x40e2d
fffff880`0701b610 fffff800`02ebd57a : 00000000`00000008 00000000`00000000 00000000`00000200 fffffa80`c0000120 : nt!KiExceptionDispatch+0xc2
fffff880`0701b7f0 00000000`00000000 : 00000000`00000000 00000000`00000000 fffff880`0507cf00 fffffa80`08239bb8 : nt!KiPageFault+0x23a (TrapFrame @ fffff880`0701b7f0)

这显示了一个非常短的堆栈。但在最后一行的右边缘,我们看到了来自 KiPageFault 的调用(表示正在处理内存访问错误),并带有“陷阱帧”指示。陷阱帧记录了页面错误异常时处理器的状态。调试器的.trap命令让我们将调试器的状态(无论如何是其中的一部分)设置为陷阱帧中记录的状态:

0: kd> .trap fffff880`0701b7f0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed.
rax=fffffa800737ee70 rbx=0000000000000000 rcx=fffffa8008f13a20
rdx=fffffa800737ee70 rsi=0000000000000001 rdi=0000000000000000
rip=0000000000000000 rsp=fffff8800701b980 rbp=0000000000000000
 r8=fffffa800398b010  r9=fffff8000303de80 r10=fffffa80036fb570
r11=fffffa8004a55c10 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
00000000`00000000 ??               ???

现在我们kv再次尝试该命令:

0: kd> kv
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0701b980 00000000`00000000 : 00000000`00000000 fffff880`0507cf00 fffffa80`08239bb8 fffff880`0701ba18 : 0x0
fffff880`0701b988 00000000`00000000 : fffff880`0507cf00 fffffa80`08239bb8 fffff880`0701ba18 fffff880`0507cf60 : 0x0
fffff880`0701b990 fffff880`0507cf00 : fffffa80`08239bb8 fffff880`0701ba18 fffff880`0507cf60 fffffa80`08f13a50 : 0x0
fffff880`0701b998 fffffa80`08239bb8 : fffff880`0701ba18 fffff880`0507cf60 fffffa80`08f13a50 00000000`00000000 : iusb3xhc+0x7cf00
fffff880`0701b9a0 fffff880`0701ba18 : fffff880`0507cf60 fffffa80`08f13a50 00000000`00000000 00000000`0000004f : 0xfffffa80`08239bb8
fffff880`0701b9a8 fffff880`0507cf60 : fffffa80`08f13a50 00000000`00000000 00000000`0000004f fffff880`009f1380 : 0xfffff880`0701ba18
fffff880`0701b9b0 fffffa80`08f13a50 : 00000000`00000000 00000000`0000004f fffff880`009f1380 00000000`00000000 : iusb3xhc+0x7cf60
fffff880`0701b9b8 00000000`00000000 : 00000000`0000004f fffff880`009f1380 00000000`00000000 00000000`00000100 : 0xfffffa80`08f13a50
fffff880`0701b9c0 00000000`0000004f : fffff880`009f1380 00000000`00000000 00000000`00000100 00000000`00000000 : 0x0
fffff880`0701b9c8 fffff880`009f1380 : 00000000`00000000 00000000`00000100 00000000`00000000 00000000`00000001 : 0x4f
fffff880`0701b9d0 00000000`00000000 : 00000000`00000100 00000000`00000000 00000000`00000001 fffff880`009f1f60 : 0xfffff880`009f1380
fffff880`0701b9d8 00000000`00000100 : 00000000`00000000 00000000`00000001 fffff880`009f1f60 fffff800`02eb4fbd : 0x0
fffff880`0701b9e0 00000000`00000000 : 00000000`00000001 fffff880`009f1f60 fffff800`02eb4fbd fffffa80`04807810 : 0x100
fffff880`0701b9e8 00000000`00000001 : fffff880`009f1f60 fffff800`02eb4fbd fffffa80`04807810 00000000`00000000 : 0x0
fffff880`0701b9f0 fffff880`009f1f60 : fffff800`02eb4fbd fffffa80`04807810 00000000`00000000 00000000`00000000 : 0x1
fffff880`0701b9f8 fffff800`02eb4fbd : fffffa80`04807810 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffff880`009f1f60
fffff880`0701ba00 fffff800`02ec48c2 : 00000000`00000001 00000000`00000000 00000000`0000004f fffffa80`036c66d0 : nt!KiCommitThreadWait+0x3dd
fffff880`0701ba90 fffff800`0319365f : fffffa80`04807b40 fffffa80`04807b40 00000000`00000000 fffffa80`0000004f : nt!KeDelayExecutionThread+0x186
fffff880`0701bb00 fffff800`03193fed : 00000000`00000000 ffffffff`fffe7960 00000000`00000000 00000000`00000000 : nt!IoCancelThreadIo+0x6f
fffff880`0701bb30 fffff800`03194651 : 00000000`00000000 fffff800`03158400 fffffa80`075e6100 00000000`00000000 : nt!PspExitThread+0x58d

该堆栈已损坏(请注意,调用站点地址处全为 0),但很明显,iusb3xhc.sys 驱动程序的调用正在进行中。

建议的解决方案:我很确定该驱动程序是由英特尔编写的。请访问英特尔网站,查看是否有比 Microsoft 提供的版本更新的版本。如果没有,或者没有帮助,请尝试较早的版本。最后的办法:禁用 USB 3 主控制器并使用 USB 2 速度,直到出现更好的驱动程序。

相关内容